Alternate PowerShell Hosts Pipe

Severity: medium
Author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
Source: upstream

Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1059.001` Command and Scripting Interpreter: PowerShell

Event coverage

Provider	Event ID	Title
Sysmon	17	PipeEvent (Pipe Created)
Sysmon	18	PipeEvent (Pipe Connected)

Stages and Predicates

Stage 1: `selection`

PipeName|startswith: '\PSHost'

Stage 2: `not 1 of filter_main_*`

or:
Image|contains: 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
Image|contains: '\pwsh.exe'
Image|contains: '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview'
Image|contains: '\pwsh.exe'
Image: null
Image|contains: ':\Program Files\PowerShell\7-preview\pwsh.exe'
Image|contains: ':\Program Files\PowerShell\7\pwsh.exe'
Image|contains: ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
Image|contains: ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
Image|contains: ':\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
Image|contains: ':\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
Image|contains: ':\Windows\System32\sdiagnhost.exe'
Image|contains: ':\Windows\System32\wsmprovhost.exe'
Image|contains: ':\Windows\system32\ServerManager.exe'
Image|contains: ':\Windows\system32\dsac.exe'
Image|contains: ':\Windows\system32\inetsrv\w3wp.exe'
Image|contains: ':\Windows\system32\wbem\wmiprvse.exe'

Stage 3: `not 1 of filter_optional_*`

or:
or:
Image|startswith: 'C:\Program Files (x86)\'
Image|startswith: 'C:\Program Files\'
Image|endswith: '\Tools\Binn\SQLPS.exe'
Image|contains: '\Microsoft SQL Server\'
Image|endswith: '\GC\gc_worker.exe'
Image|startswith: 'C:\Program Files\AzureConnectedMachineAgent\GCArcService'
Image|startswith: 'C:\Program Files\Citrix\'
Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Image`	ends_with	`\GC\gc_worker.exe` `\Tools\Binn\SQLPS.exe` corpus 2 (sigma 2)
`Image`	match	`:\Program Files\PowerShell\7-preview\pwsh.exe` `:\Program Files\PowerShell\7\pwsh.exe` `:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe` `:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe` `:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe` `:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe` `:\Windows\System32\sdiagnhost.exe` `:\Windows\System32\wsmprovhost.exe` `:\Windows\system32\ServerManager.exe` `:\Windows\system32\dsac.exe` `:\Windows\system32\inetsrv\w3wp.exe` `:\Windows\system32\wbem\wmiprvse.exe` `C:\Program Files\WindowsApps\Microsoft.PowerShellPreview` corpus 4 (sigma 4) `\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview` corpus 4 (sigma 4) `\Microsoft SQL Server\` `\pwsh.exe` corpus 2 (sigma 2)
`Image`	starts_with	`C:\Program Files (x86)\` corpus 14 (sigma 14) `C:\Program Files\` corpus 15 (sigma 15) `C:\Program Files\AzureConnectedMachineAgent\GCArcService` `C:\Program Files\Citrix\` corpus 2 (sigma 2) `C:\Program Files\Microsoft\Exchange Server\` corpus 3 (sigma 3)
`PipeName`	starts_with	`\PSHost` corpus 2 (sigma 2)